How DreamHost’s Security Team Built Our Malware Remover from the Ground Up

Security is not a product. It’s the result of focus, hard work, and dedication by smart people who pay attention to things that the rest of us ignore.

DreamHost’s security team is made up of just such people. They’re constantly scanning the horizon for new threats and stepping in to help others avoid safety pitfalls.

Like many other hosting companies, DreamHost has a wide exposure to threats. For example, the internal corporate systems are a fat target, loaded with millions of customer’s private data and credit card information. And the millions of websites run by customers are a vast land that attracts all sorts of criminal hustles, from intrusions and vandalization to denial of service and more.

Stick to The Scripts

To help protect DreamHost’s networks, the security team started running a set of scripts to identify infected files stored on our systems years ago. From one-click installs to files inside customer’s directories, the scripts would look for known signatures of infections and report issues.

These scripts had room for improvements, though.

They could take from 25 minutes up to 4 hours to run! They were also clunky and cumbersome to use since the results were a bunch of quarantined files with very little data to help understand why a file was considered infected.

Refined System, New Product

When the security team started re-architecting these scripts four years ago, they focused on designing a better system.

They wanted something that not only spotted malware but also kept a classification of signatures, managed whitelists, allowed Tech Support to safely handle malware, and had a nice front-end.

Designing the system took weeks and countless whiteboard iterations. But those brainstorm sessions paid off because, after several internal refinements, the database of signatures became a central piece of the Malware Remover service that DreamHost now offers to customers.

What Else Does Our Security Team Do?

To prevent disruption to our systems, the security team works together with our network operations team to stop and mitigate denial of services. These come in many forms, from the classic SYN flood to abuses at layer 7.

DreamHost constantly monitors traffic to customer’s websites looking for patterns that may be disruptive — and blocking any that are. Lots of work goes into ModSecurity rules, and fail2ban on frontier firewalls.

For example, when the monitors detect an IP address trying to log in multiple times to multiple WordPress sites in a short timeframe, that IP gets blocked for some time and again for longer if the same pattern emerges. That keeps most abusers under control, and websites running more smoothly.

And there’s a lot more going on with kernel security; the team is using KSplice and GRSecurity technology to stop or mitigate vulnerabilities. The team also serves as internal consultants, vetting all software development and acquisition. Customer privacy also falls under their realm of expertise.